23andMe acknowledged this week that data from users of its genetic testing and analysis platform has been circulating on dark web forums after what it says was a credential-stuffing attack, according to BleepingComputer. The outlet wrote that a hacker reportedly leaked what they said was “1 million lines of data” for Ashkenazi Jewish people before saying it would sell the data it had stolen for $1 – $10 per account. The data includes users’ names, profile photos, genetic ancestry results, date of birth, and geographical location.
In to a statement provided to BleepingComputer, the company confirmed the data is legitimate, but says attackers hadn’t breached its internal systems. According to the company, “the preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials.” BleepingComputer reports that while the initial attack relied on passwords shared with accounts on previously compromised services, much of the leaked data was scraped from additional accounts using one of 23andMe’s own features, called ‘DNA Relatives.”
As many as 7 million accounts may be in the sale, PCMag reported on Wednesday, citing a post from Dark Web Informer that shared screenshots of another now-deleted hacker forum post. That’s roughly half the total number of users on 23andMe’s platform. According to ArsTechnica, hackers claimed that 23andMe’s CEO knew about the leaked data two months prior, but didn’t disclose the incident.
Meanwhile, 23andMe has posted this message from a support account: